Hunt threats, tune detections, own the alerts L1 can't close.
L2 analysts take over what L1 can't close. The role demands hypothesis-driven hunting, detection engineering against MITRE ATT&CK, and the discipline to feed every investigation back into rule tuning so the queue stays manageable.
Tools in scope
FAANG
Expect a deep hunt scenario plus a detection-as-code coding round.
Consultancy
Breadth across multiple SIEMs and client environments matters more than depth in one.
// Sample question
An L1 escalates a beacon-like network pattern from a finance laptop. What's your hunt plan for the next 30 minutes?
Pull EDR process tree and parent context, hash the binary and check VT / internal sightings, pivot on the C2 domain across proxy logs to scope blast radius, validate persistence (scheduled tasks, registry run keys), then either contain via EDR isolation or hand to IR with a timeline and IOCs.
AI-graded, role-specific, feedback on every answer. Free to start.